Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
Missing auto generated WAN rules for site to site IPsec using CARP address
« previous
next »
Print
Pages: [
1
]
Author
Topic: Missing auto generated WAN rules for site to site IPsec using CARP address (Read 2730 times)
nzkiwi68
Full Member
Posts: 182
Karma: 20
Missing auto generated WAN rules for site to site IPsec using CARP address
«
on:
April 10, 2021, 11:08:08 pm »
21.1.4
Trying to make a site to site IPSEC tunnel from a HA opnSense cluster using the CARP address to a single opnSense fw.
Remote site, single fw:
VPN: IPsec: Status Overview
I noticed the Stats the Bytes out was counting up but never any Bytes in.
HA clustered fw:
VPN: IPsec: Status Overview
I noticed the Stats the Bytes in and out was zero.
That got me thinking that the ESP traffic was getting dropped and then I discovered that on the HA site;
GUI> Firewall: Rules: WAN
The
Automatically generated rules
had nothing for the IPsec tunnel that had the CARP address set in P1. If I changed P1 from the CARP address to the actual WAN interface IP, then the auto rules get created.
Looks like a bug with CARP and IPSEC.
Could that be why the tunnel got created but no traffic would pass?
Logged
nzkiwi68
Full Member
Posts: 182
Karma: 20
Re: Missing auto generated WAN rules for site to site IPsec using CARP address
«
Reply #1 on:
April 11, 2021, 07:59:36 pm »
Until I added my own manual WAN allow IPSEC rules, the tunnel would not work.
Interestingly, I can lock down the the remote IP address for the ISAKMP and NAT-T but the allow ESP rule had to be from any to work, locking down ESP to be from a specific IP address did not work.
Logged
nzkiwi68
Full Member
Posts: 182
Karma: 20
Re: Missing auto generated WAN rules for site to site IPsec using CARP address
«
Reply #2 on:
April 11, 2021, 09:13:50 pm »
ok, I give up!
I can sort of from time to time get it to go by writing my own in and out WAN firewall rules, but, boy are they unreliable.
I am convinced that the CARP address attached to the WAN is mostly (or only occasionally) matching my inbound firewall rules of destination "this firewall" or when I write the exact CARP IP address.
I say that because it's just so hit and miss to get it work
.
We really need this looked at;
* binding the CARP address
* WAN auto IPSEC allow firewall rules when using a CARP address in your firewall P1
«
Last Edit: April 11, 2021, 09:49:14 pm by nzkiwi68
»
Logged
nzkiwi68
Full Member
Posts: 182
Karma: 20
Re: Missing auto generated WAN rules for site to site IPsec using CARP address
«
Reply #3 on:
April 11, 2021, 09:48:06 pm »
Phew, found my issue for unreliable CARP WAN IP.
I'm replacing a pair of pfSense HA firewalls and I have the opnSense firewalls setup on the same LAN and WAN with different IP addresses.
But!
I did clash when creating the opnSense CARP addresses, I used the same vhid numbers (starting from 1 you see) and I didn't think about vhid 1 and 2 already in use by pfSense.
One to watch out for...
...The auto WAN IPsec firewall rules missing and not getting created are still an issue when using CARP.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
Missing auto generated WAN rules for site to site IPsec using CARP address